Jail/chroot nginx process inside controller container (#8337)

* Initial work on chrooting nginx process * More improvements in chroot * Fix charts and some file locations * Fix symlink on non chrooted container * fix psp test * Add e2e tests to chroot image * Fix logger * Add internal logger in controller * Fix overlay for chrooted tests * Fix tests * fix boilerplates * Fix unittest to point to the right pid * Fix PR review
2022-04-09 01:48:04 -03:00 · 2022-04-09 01:48:04 -03:00 · 3def835a6a
commit 3def835a6a
parent 83ce21b4dd
41 changed files with 456 additions and 49 deletions
--- a/cmd/nginx/flags.go
+++ b/cmd/nginx/flags.go
@ -192,6 +192,8 @@ Takes the form "<host>:port". If not provided, no admission controller is starte
 		statusPort = flags.Int("status-port", 10246, `Port to use for the lua HTTP endpoint configuration.`)
 		streamPort = flags.Int("stream-port", 10247, "Port to use for the lua TCP/UDP endpoint configuration.")

+		internalLoggerAddress = flags.String("internal-logger-address", "127.0.0.1:11514", "Address to be used when binding internal syslogger")
+
 		profilerPort = flags.Int("profiler-port", 10245, "Port to use for expose the ingress controller Go profiler when it is enabled.")

 		statusUpdateInterval = flags.Int("status-update-interval", status.UpdateInterval, "Time interval in seconds in which the status should check if an update is required. Default is 60 seconds")
@ -344,6 +346,7 @@ https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-g
 		ValidationWebhook:         *validationWebhook,
 		ValidationWebhookCertPath: *validationWebhookCert,
 		ValidationWebhookKeyPath:  *validationWebhookKey,
+		InternalLoggerAddress:     *internalLoggerAddress,
 	}

 	if *apiserverHost != "" {
--- a/cmd/nginx/logger.go
+++ b/cmd/nginx/logger.go
@ -0,0 +1,51 @@
+/*
+Copyright 2022 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"fmt"
+
+	"k8s.io/klog/v2"
+
+	"gopkg.in/mcuadros/go-syslog.v2"
+)
+
+func logger(address string) {
+	channel := make(syslog.LogPartsChannel)
+	handler := syslog.NewChannelHandler(channel)
+
+	server := syslog.NewServer()
+
+	server.SetFormat(syslog.RFC3164)
+	server.SetHandler(handler)
+	if err := server.ListenUDP(address); err != nil {
+		klog.Fatalf("failed bind internal syslog: %w", err)
+	}
+
+	if err := server.Boot(); err != nil {
+		klog.Fatalf("failed to boot internal syslog: %w", err)
+	}
+	klog.Infof("Is Chrooted, starting logger")
+
+	for logParts := range channel {
+		fmt.Printf("%s\n", logParts["content"])
+	}
+
+	server.Wait()
+	klog.Infof("Stopping logger")
+
+}
--- a/cmd/nginx/main.go
+++ b/cmd/nginx/main.go
@ -152,6 +152,13 @@ func main() {
 	registerHealthz(nginx.HealthPath, ngx, mux)
 	registerMetrics(reg, mux)

+	_, errExists := os.Stat("/chroot")
+	if errExists == nil {
+		conf.IsChroot = true
+		go logger(conf.InternalLoggerAddress)
+
+	}
+
 	go startHTTPServer(conf.HealthCheckHost, conf.ListenPorts.Health, mux)
 	go ngx.Start()